Recent updates to Gartner’s Innovation Insights for Extended Detection and Response (XDR) report reveal the analyst firm’s latest thinking about the emerging security category. I gathered some of the key insights to help you navigate what’s probably the most hyped category in cybersecurity at the moment.
Let’s start with the most essential question:
What is XDR and what are its key functionalities?
XDR is an emerging set of technologies offered by a growing number of security vendors, aimed to collect and automatically correlate data from multiple security and IT sources, unifying them into a single threat incident detection and response platform. Typical XDR solutions are cloud-native and SaaS-based.
According to Gartner, the four primary functions of an XDR system are:
- Collection of common security products that are integrated out-of-the-box
- Centralization and normalization of data in a central repository for analysis and query
- Improved detection sensitivity resulting from the contribution of multiple security products working in coordination
- Correlated incident response capability that can change the state of individual security products as part of the recovery process
Now that we’ve defined XDR and what it's used for, let’s dive into its importance in the new Security Operations Center (SOC) as described in Gartner’s report.
#1 - Security and risk management leaders are struggling with too many security tools from different vendors with little integration of data or incident response
The siloed security solutions reduce the ability to stitch together signals to form a coherent understanding of an incident, and significantly reduce the productivity of security analysts, who need to monitor alerts in a variety of tools and manually investigate them.
#2 - XDR products improve security operations productivity with their out-of-the-box alert and incident correlation, as well as built-in automation
XDR products reduce the complex configuration of security tools, such as detection rule management and manual incident investigation, thus providing better security outcomes. Through automation and better security analytics, many XDR tools reduce the overall number of alerts into a smaller set of well-investigated incidents and provide a broad context for incident investigation and response.
The ability of XDR solutions to automatically cross-correlate all data across the enterprise at scale provides a better security posture, combining weak signals from multiple sources into stronger signals of malicious intent.
#3 - XDR can provide a cost-effective, agile alternative to SIEM
Like SIEM and SOAR solutions, XDR is built to integrate with a broad variety of security and IT tools, but XDRs are differentiated from SIEM and SOAR products by the level of built-in, out-of-the-box integrations available at deployment, and the focus of the solution on threat detection and incident response use cases.
Even though SIEM products have been around for a long time, and a few of them offer Next-Gen functionalities such as cloud deployment, many organizations have not managed to fully deploy SIEM tools, or only use SIEM for log storage and compliance. Many organizations find that using SIEM for threat detection and response is a resource-heavy effort that is not within their reach. Often security teams become overwhelmed by excessive, uncoordinated alerts that too often go unattended. They have a hard time developing detection rules and applying contextual indicators to combine multiple alerts or provide full incident response capability. XDR products are purposely built to solve this gap, focusing on delivering effective detection and response to targeted and advanced attacks across the attack surface, including native support for UEBA, threat intelligence, and analytics.
In some cases, XDR can provide a cost-effective, agile alternative to SIEM, especially those that are built on cloud-native modern data lakes. In these cases, an XDR can provide a cost-effective, always-hot data storage that is coupled with advanced analytics - serving as a complete SIEM replacement option. You can learn about how Hunters can be used to replace SIEM solutions when combined with a cloud-based data lake like Snowflake in our recent blog.
#4 - XDR ≠ SOAR
SOAR tools were developed to accelerate and automate common response activities. However, due to SOAR tools being disconnected from the detection activities, their ability to efficiently launch automated response activities is limited.
XDR can solve this problem as it consolidates multiple security products into a cohesive security incident detection and response platform - providing context and visibility to each incident. It addresses the missing link between detection and response - incident investigation - providing context and understanding to detected incidents. This enables an effective approach to automated response through SOAR and remediation playbooks. Some XDR tools offer direct integration with SOAR, increasing the effectiveness of these tools, and some are developing built-in response capabilities.
#5 - Not all XDRs were created equally
Many of the XDR tools emerge from the need of security vendors that offer various point solutions (such as EDR, network security, etc.) to unify and integrate those tools into a single stack. These vendors are mostly focused on integrating their own set of products and might be missing integrations with common security tools, as it is rare to find a security environment that’s entirely composed of solutions from a single vendor. While using a single-stack XDR may be helpful for organizations that own a few tools by a specific provider, it holds the risk of creating a vendor lock-in without delivering additional security benefits of integrating data across the entire attack surface. In many cases, cloud environments are left uncovered or just partially covered, creating blind spots and retaining the detection and response silos.
Open (or Hybrid) XDR solutions offer a vendor-agnostic approach for integrating all solutions in one's environment. Applying them as a top of stack integration layer enables flexibility and avoidance of vendor lock-in. Building an Open XDR is not a trivial task, with challenges in areas such as data integration, ingestion and variety. Open XDR tools must be judged by the level of their integration as well as by the quality of their out of the box analytics across the various tools they integrate with. Hunters integrates with dozens of security products and organizational tools to transform the security operations' ability to detect, investigate and respond to threats across attack surfaces.